Episode 46: In this episode of Critical Thinking - Bug Bounty Podcast, Justin is deep diving the topic of SAML (Security Assertion Markup Language), and walks through what it is and why it can be intimidating, before going over some key attack vectors to look for. Then he closes out with a commentary on a sample payload, and some HackerOne reports.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: [email protected]
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
KazHACKstan
Testing SAML security with DAST
https://agrrrdog.blogspot.com/2023/01/testing-saml-security-with-dast.html
How to break SAML if I have paws?
https://speakerdeck.com/greendog/how-to-break-saml-if-i-have-paws?slide=20
How to Hunt Bugs in SAML; a Methodology
https://epi052.gitlab.io/notes-to-self/blog/2019-03-16-how-to-test-saml-a-methodology-part-three/
SAML Raider
https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e
External Entity Injection during XML signature verification
https://bugs.chromium.org/p/project-zero/issues/detail?id=2313
mTLS: When certificate authentication is done wrong
https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/
HackerOne Uber Report
https://hackerone.com/reports/136169
Timestamps:
(00:00:00) Introduction
(00:05:25) Understanding SAML and its complexities
(00:08:30) SAML Attack Vectors
(00:14:15) XML Signature Wrapping
(00:19:50) Some SAML tests to try
(00:30:30) Sample Payload description
(00:34:10) Token Recipient confusion
(00:36:05) HackerOne Reports